I-Ching & InfoSec

I-Ching & InfoSec
易經和資安
Any sufficiently advanced technology is indistinguishable from magic. – A. C. Clarke
The ancient book of wisdom is indistinguishable from advanced science. – C. Lin
Chuan Lin,
CISSP

Summary
 This is a theory craft of gleaming Information Security
(InfoSec) from the Book of Changes.
 It is an attempt to look at InfoSec outside the box, the
leading edge world of technology, from the most
venerable book of knowledge.
 I-Ching is known to be the Most Modern of Ancient
Wisdom. It bears resemblance to binary codes and DNA.
Can it provide insight to InfoSec as well?

What is InfoSec
 Information Security, according to Wikipedia, is about
defending information from unauthorized access, use,
disclosure, disruption, modification, perusal, recording or
destruction.
 While this is not new to the modern society, technology,
economic, and social media have created the need to
protect corporate and individual information in addition to
state government.
 Information Security will be the norm from now on as what
one learns about protecting corporate and state information
can also be applied at personal level.

What is I-Ching
 Who (者) – Fu Xi, one of the
legendary Chinese Sovereigns,
and King Wen of Zhou Dynasty,
were credited to be the authors.
 When (時) – Official date was
around 1059 BC though most
believed it existed much earlier
than that. It was introduced to
the West in 17th Century.
 Where (處) – It originated in
China.
 What (何) – I-Ching is the
accumulated wisdom which
Chinese arts, music, philosophy,
religion, medicine, astronomy,
arithmetic, literature, military,
martial art, divination, science
and technology were derived
from.

Information Security Breakdown
資安分列
What is Information?
What are we securing?

At Root Level View of
Information Security
 Security is about protecting. For InfoSec
Professional (InfoSec Pro), it is to ensure that
information remains confidential, integral, and
available to authorized individuals.
 Information is about how a person utilizes a
given data.
 If a person doesn’t know how to handle a given
data, then that information is useless.
 If a person is given a wrong data, than that
information is useless.
 If a person is given a set of data that she knows
and provides that data is correct, then this
information is useful.

Next Level View of
Information Security
 A more detail analysis of
what is InfoSec:
 Securing people from
reveal key information
 Securing data from
unauthorized access
 Securing data input from
corrupting data
 Securing data output from
unlawful usage

Tertiary View of
Information Security, Part 1 (of 8)
 What are we protecting?
People at both individual/family
and corporate/state level
People are susceptible to social
engineering, or psychological
influence, into reveal key
information that would breach
information security.
This is a challenging task because
hardening against social engineer
tended to go against our human
traits and nature.

Tertiary View of
 Data at both individual/family
and corporate/state level
 Data by itself, is very dormant and
with correct access code, very
accessible.
 This is the focus of InfoSec Prof on
how to safeguard data whether it
is at rest or in transit. But this is only
a component of the bigger
picture.

Tertiary View of
 Application
 Application requires data and/or
inputs to produce desire outputs.
Its side effect is that unsecured
application can leak data.
 Next to people, this presents a
challenge for InfoSec Pro since
we are not adopt to scrutinize
lines of codes or in most cases to
certify third party applications as
been secured.

Tertiary View of
 Data Bank/Cloud/Server Farm
 We generate more and more
data, and we want them to be
instantly accessible yet secure.
Cloud technology is the solution.
 Most big cloud service providers
have met US government security
requirement. The physical location
(in US) is vast and with acres of
servers which make searching for
particular set of data to be
proverbial needle in hay stacks.

Tertiary View of
 Internet
 It allows us to connect with each
other and to have easier access
to information. While internet
provides us quick avenue to
information, it also gives crooks an
expeditious passage to our lives
and data.
 A combination of mindful
browsing habits, secured browser,
and password manager will avoid
80% of pitfalls.

Tertiary View of
 Home and office
 We tend to think our homes as
our sanctuary and our offices as
safe working environments. This
causes us to be lax with
securing our data until rogue(s)
steal them.
 Being a physical location,
security access can be
established. But problems arise
from trading security for
convenience and security lax
from daily routines.

Tertiary View of
 Wifi
 Smartphones are primary factor
for pushing data wireless. We are
already transmitted pictures via
social media apps and now,
payment information as well.
 Technology to grab sensitive data
over airwave are becoming
available. Wifi jamming devices
are also popular items.

Tertiary View of
 energy
 While utility companies begin to
offer network services, they are
crucial in information security
because they provide the necessary
energy to power security devices.
 A black out would render the world
best security devices useless; a
brown-out would destroy the world
best security devices. Surge
protection and alternate power
sources are part of information
security planning.

Information Security through
I-Ching Point of View
資安透過易經觀點

An Holistic View of
I-Ching/InfoSec
 易有太極，是生兩儀
 I(易)is Taiji that generates two
primary forces. (tr. Wilhelm and Baynes 1967:318-9)
 I(易)is Information that generates
two primary sources.
 As InfoSec Pro, our duty is to
protect information to make sure
it is confidential, integral, and
available.
 And information concedes into
two primary sources: data &
person
太
極

An Holistic View of
I-Ching/InfoSec
 易有太極，是生兩儀
 Two primary forces in I Ching are
yin and yang.
Yin Yang
negative positive
female male
earth heaven
employees manager
0 1
data person
 Yin – receiving, potential, and
passive forces of nature
 Yang – giving, kinetic, and active
forces of nature
 Data = Yin – data is inert and
requires a person to decipher and
act on.
 Person = Yang – person is active
and able to use data to create a
useful information.
 As InfoSec Pro, we need to
protect both person and data.
兩
儀

An Holistic View of
I-Ching/InfoSec
 兩儀生四象
 The two primary forces generate
the four images.(tr. Wilhelm and Baynes 1967:318-9)
 Here in I Ching, the concept of
time and state is introduced
through the four images.
 The two primary sources generate
the four states.
 Likewise, for InfoSec, after break
down information into data and
person, we’re introduced to state
of data that need to be
protected.
四
象

An Holistic View of
I-Ching/InfoSec
 Four ImagesFour States
Old YangPerson
Young YangInput
Young YinOutput
Old YinData
四
象
老陽/Old Yang
 In I-Ching, it represents the
peak state, summer, prime,
very active, south, noon
 In InfoSec, this represents
person, a small group of
people, they are capable of
generating and utilizing
data.
少陽/Young Yang
growing state, spring, young
adult, active, east, dawn
data input, data is to be
processed; data is in motion
to becoming information.
少陰/Young Yin
declining state, fall, middle
age, sluggish, west, dusk
data output, data has been
modified; data as
information
老陰/Old Yin
restful state, winter, senior,
restful, north, midnight
 In InfoSec, this represents raw
data, unmodified data, data
storage

Examples of Four States of Information
Old
Yang
Young
Yang
Young
Yin
Old Yin
People
Data
Input
Data/
Data
Process
Data
Output

An Holistic View of
I-Ching/InfoSec
 四象演八卦
 The four phenomena act on the
eight trigrams (bagua)
(tr. Wilhelm and Baynes 1967:318-9)
 I Ching: trigrams are nature forces
 The four states act on the eight
mediums.
 InfoSec: mediums are building
blocks of InfoSec world.
 When we breakdown a
information system, its
components will be one of eight
mediums described in the
following slides.
八
卦

An Holistic View of
I-Ching/InfoSec
 Qian in I-Ching
八
卦
Image in Nature sky
Wilhelm’s
Translation
the Creative
Family
Relationship
father
Body Part Head
Binary Code 111
State Active
 Qian in InfoSec
 Are people because we are the
active force. We create data; we
transform data into useful
information.
 Example: In this PowerPoint
presentation, you are the one in
control. You can continue, stop,
rewind, or quit.
 InfoSec: People are hard to
safeguard because the need to
be active vs. the need to be
restrain.

An Holistic View of
I-Ching/InfoSec
 Kun in I-Ching
八
卦
Image in Nature earth
Wilhelm’s
Translation
the Receptive
Family
Relationship
mother
Body Part belly
Binary Code 000
State Receptive
 Kun in InfoSec
 Are data because they are
amenable. Data created,
manipulated, and accessed by us.
By itself, it does nothing.
 Example: In this PowerPoint
presentation, words and graphic
you see are data. They simply
presented my thoughts and may
become information if you have
similar background as me.
 InfoSec: Data are easiest to
safeguard because they are
inactive. But encryption will slow
down our access to them.

An Holistic View of
I-Ching/InfoSec
 Li in I-Ching
八
卦
Image in Nature fire
Wilhelm’s
Translation
the Radiance
Family
Relationship
2nd daughter
Body Part eye
Binary Code 101
State adaptable
 Li in InfoSec
 Are application because they transfer
data into something useful or malicious.
Application is meaningless with data
just like fire without fuel.
 Example: In this presentation, MS
PowerPoint and browser you used are
applications that manipulate and
display data into relevant information.
Without these data, PowerPoint would
open up to a blank page or your
browser would get an 404 error.
 InfoSec: While it is easy to use white &
black lists to restrict applications, but
like Prometheus, someone will
inadvertently bring in the wild fire.

An Holistic View of
I-Ching/InfoSec
 Kan in I-Ching
八
卦
Image in Nature water
Wilhelm’s
Translation
the Abysmal
Family
Relationship
2nd son
Body Part ear
Binary Code 010
State In-motion
 Kan in InfoSec
 Are internet because like traditional
waterways, it brings life, communication,
and commence among people from
different areas. Even now, we use terms
like torrents, phishing, upstream,
downstream, and flood to describe
situation involve with internet.
 Example: In this presentation, you are
accessing it through internet for content
delivery. And like waterway, things move
quickly when there's no congestion and
when it choke, you receive your cargo in
sporadically.
 InfoSec: Like traditional waterways,
companies build series of dams (aka
firewalls) to limit inflow and outflow of
commodities. The problem is, sometime
we have to find out where are leaks and
seepage.

An Holistic View of
I-Ching/InfoSec
 Gen in I-Ching
八
卦
Image in Nature mountain
Wilhelm’s
Translation
Keeping Still
Family
Relationship
3rd son
Body Part hand
Binary Code 001
State completion
 Gen in InfoSec
 Are buildings and hardware because
these are the closest things that endure in
InfoSec world where things are constantly
changing. Building and hardware are
traditionally as places where wealth and
data are stored.
 Example: In this presentation, you are
most likely view it in the comfort of your
home or office that protects and gives
you a sense of privacy and security. Even
a coffee shop environment is preferred
than outdoor (unless it is a perfect
weather and few traffics)
 InfoSec: As a physical fixture, it is easily
defend. Locks, security devices, lights,
fixtures, and guards are used in
conjunction to deter, detect, delayed,
and denial threats.

An Holistic View of
I-Ching/InfoSec
 Dui in I-Ching
八
卦
Image in Nature lake
Wilhelm’s
Translation
the Joyous
Family
Relationship
3rd daughter
Body Part mouth
Binary Code 110
State tranquil
 Dui in InfoSec
 Are cloud environment because here is
where massive amount of data are stored.
If we use the analogy of internet as
waterway, all arteries eventually flow into
lake or ocean. And if you think of the
source of tributaries, most come from
mountain (office buildings/homes).
 Example: In this presentation, this power
point slide is uploaded into slideshare.net
which may end up in Amazon cloud or
Microsoft Azure or another massive data
storage location.
 InfoSec: It has both a virtual and physical
location. And in both cases, the massive
sizes and # of backups, make it nearly
impossible to attacks. Instead, threats
come from stolen ID, denial of services, or
simply bomb the place out of existence.

An Holistic View of
I-Ching/InfoSec
 Xun in I-Ching
八
卦
Image in Nature wind
Wilhelm’s
Translation
the Gentle
Family
Relationship
1st daughter
Body Part thigh
Binary Code 011
State Gentle entrance
 Xun in InfoSec
 Are wifi technology because data are
travelling through the air. This
technology allows people to move
away from rivulets of network cables
and let them to transfer data through
zephyr of major telecoms.
 Example: In this presentation, this
PowerPoint can be view with wifi
connection and through mobile
devices.
 InfoSec: This is a relatively new frontier
and brought focus to encrypting data
on the move. Most data (especially
credit card payment) transfer are
unprotected and can be easily
grabbed by another mobile device.

An Holistic View of
I-Ching/InfoSec
 Zhen in I-Ching
八
卦
Image in Nature thunder
Wilhelm’s
Translation
the Arousing
Family
Relationship
1st son
Body Part foot
Binary Code 100
State initiative
 Zhen in InfoSec
 Are energy like its natural image. Info
Sec environment is depended on
energy.
 Example: In this presentation, you don't
see the undercurrent energy. But you
will feel it if any of your device, the
server that housed this power point, or
any one network infrastructure in
between runs out of juice.
 InfoSec: Energy is one of new area for
InfoSec Prof to be concerned of. While
blackout can knock out our layer
defenses, it also deny attackers access
to data. But when things are powered
back on, our defense network may not
be up and ready.

An Holistic View of
I-Ching/InfoSec
 八八六十四卦
 eight eights are sixty-four
hexagrams
(tr. Wilhelm and Baynes 1967:318-9)
 I Ching: hexagrams described all
natural conditions in terms of
human relations. And each
condition has its 6 stages of
progression.
 eight by eight creates sixty-four
situations.
 InfoSec: These 64 situations have
their own life cycle and possible
disruptions.
六
十
四
卦
Discussion of 64 Hexagram/Situations is
beyond the scope of this Power Point.

Defensive View of
Information Security & I-Ching
易經與資安防禦

High Level View of
Information Security through I-Ching
 This is the final stage of using I
Ching method for information
security.
 It is uncomprehensive to the
uninitiated but key ideas behind it
are
 Beside human factor, I Ching/
InfoSec utilizes both time element
and physical location as part of
defense in layers.
 Despite it seemly complexity, it is
quite portable whether apply to
physical location or to virtual
domain.
防
禦

Encryption in
InfoSec/I-Ching
 Encryption is a necessity in
InfoSec that prevents
unauthorized access.
 In previous section, I Ching
symbolism is used to relate to
Information Security.
 Now, we are exploring applied
math in I Ching for Encryption.
 To the right is the Yellow River
Diagram symbolism which
translate into mathematical
equation by clicking on it.
先
天

Encryption in
InfoSec/I-Ching
 Yellow River Diagram represents
the State of Heaven at rest.
 Correspondingly, this method of
encryption is for data at rest.
 Here is the algorithm of encoding
and decoding data.
 This is the modern interpretation
of same algorithm.
 Now, as which one to use, well,
isn’t that the secret.
河
圖

Encryption in
InfoSec/I-Ching
 To the right is the Luo River Scroll
symbolism that translated into
mathematical equation by
clicking on it.
 It represents the State of Heaven
in Motion.
 Correspondingly, it can represents
data in motion.
 Why, because data in motion
requires fast encapsulation and
decapsulation than data at rest.
後
天

Encryption in
InfoSec/I-Ching
 This mathematical equation is
popularly known in the West as
Sudoku.
 The idea behind Sudoku is that
any lines (vertical, horizontal,
diagonal) must add up to same
number.
 So during data transition, it is
encapsulated with series of
numbers that when decoded on
the other side, must add up to a
number in a Sudoku like box in
order to validate the data.
洛
書

Encryption in
InfoSec/I-Ching
方
圖  Prior Information Age, decoding
Sudoku was relatively easy but to
break a 1 – 64 square was a
challenge.
 These symbolism can be
translated into mathematical
value.
 Then the entire square looks like
this….

Encryption in
InfoSec/I-Ching
方
圖  Information Age brought us
incredible process power that
whatever within this square can
quickly decode.
 But what if, we are to decode 4
squares of 64 numbers?
 As process power improves, we
escalate the number of square by
power of 2?
 These squares can be used either
for Yellow River or Luo River
encryption.

Encryption in
InfoSec/I-Ching
 However, the problem with previous
method is it can be too encumber for
data in motion because that will
increase amount of decoding time.
 Hence the concept of I Ching in time
reference. Each hexagram represents
approximately 5~6 days (number on I
Ching are example and not correct)
 Time element introduces variance of
how to decode the encapsulated
encryption.
 E.g. Out of 16 hash code, we’re
dropping every other 3 and 4 number.
 E.g. Each of 16 hash code is multiply by
9, 8, 7 or 6
圓
圖

Encryption in
InfoSec/I-Ching
 So by combing both square and
circular I Ching, we’re introducing
a complex encryption scheme
that is portable and yet versatile.
 This is also commonly known as
the circular and square formation
of I Ching hexagrams which is
traditionally represented in 2D.
 And here is the 3D rendition of the
circular and square formation.
圓
圖

Offensive View of
Information Security & I-Ching
易經與資安攻略

Offensive View of Information Security
資安攻勢論
 Three Types of Attackers
 Individual
 Organization
 State/Enterprise
 Purpose of the Attacks
 Fame
 Gains
(Economic/Terminal/scientific)
 Revenge

Offensive View of Information Security
資安攻勢論
 Currently attack techniques are
mostly web-based or through
networks.
 But as network defense and
encryption are getting complex,
social engineering attacks are on
the rise.
 Maybe within next 10 years,
state/enterprise level will conduct
full spectrum attacks to probe
target weakness.
 Next 8 slides will discuss theoretical
threats from I Ching perspective.

Offensive View of Info Sec/I-Ching –
Attacking the Mind
 Social Engineering - When
defensive technology is solid,
attackers may use the human
elements as an alternate attack.
 Not everyone is trained to be
security mindfulness
 Everyone has various degree of
Greed, Anger, and Ignorance
that can be exploited.
 Identity Theft
 Profits, Revenge, Cyberbully
乾
攻
心

Attacking the Data
 Extracting Data –
 To gain State secrets
 To gain economictechnological
advantage
 To embarrass individual
 Inserting Data (false)
 To redirect attacks
 To disrupt economic
technological advantage
 To maineradicatedisable
individual (through false medical
information, identify theft)
坤
攻
資

Attacking Applications
 Hostile applications are the most
common means of attack since we
are all depended on software to
conceptualize, to convert, and to
create useful information from a set of
data.
 There are gamut of PUPs (potentially
unwanted programs) ranged from
stealing, redirecting, spying, cloning,
disabling, controlling, etc.
 Like arms races, threat and anti-threat
applications have escalated that in
mid 2014, Symantec acknowledged
anti-virus software by itself is no longer
adequate to stop threats.
離
火
攻

Attacking Network
 Strategically, states controlled
internet pipelines.
 Tactically, states,
organizations, groups, or
individuals can control bots
that conducted either low
orbit ion cannons or high orbit
ion cannons which can cause
denial of services attacks to
knock down one or a series of
domains or networks.
坎
攻
網

Attacking the Base
 Theft is most common form of
attacks against individual
properties, homes, offices, and
corporate centers.
 Nearly all of us carry sensitive
data within our portable devices.
 In time of economic hardship,
employees can be bribed to
destroy or to steal corporate data
with relatively low risk to instigator.
 Beside money, grievance
employees may also be willful
accomplices to data theft.
艮
攻
堡

Attacking the Cloud
 Cloud storage vendors currently
enjoy relative scale of (too big to
be hacked) operation as a
defense mean against attack.
 Google Barge is the perfect
example of a mobile cloud
storage with plenty of water to
disperse heat and containers of
servers to store data.
 Any attacks against Cloud
Storage Vendor will be property
destruction to prevent data for
being available.
兌
攻
雲

Attacking the Wind
 Wifi and cellular data plan offer
the convenience and mobility of
data creators.
 One method of attacking is to
grab data transmitted in public
wifi area. This targets small
business owners who often used
wifi to do credit card transaction.
 Another method is to create wifi
and cellular jammer to deny data
and voice communication.
巽
攻
風

Attacking the Energy
 Like cloud storage providers, utility
companies also seem to enjoy
relative scale of operation to be
safe from attacks.
 But unlike cloud storage, the goal
of attacking the energy source
doesn’t have to be at the utility
site, but can be as close as local
grid where data resided.
 Without backup power source,
most company’s defenses will go
offline in a blackout.
震
攻
電

Offensive View of Info Sec/I-Ching
資安/易經攻勢論
 At individual level
 The attacker has lot more
variety of motivation than
those at organization and
state level.
 Some are not necessary
malicious but simply curious.
 Individual only has resources
to utilize 1-2 methods of
attacks: social engineering,
theft, or DDOS.

Offensive View of Info Sec/I-Ching
資安/易經攻勢論
 At organization/state level
 Motivations are easier to
define by greed, grandeurs, or
grievance
 They have sufficient resources
to coordinate attacks of
various methods.
 But to use all 8 method of
attacks would constitute an
act of war even if it is direct at
an organization within the
same state.

Summary – 略
 InfoSec is all about protecting data.
 There are books, blogs, and webinars on how to protect and what to look out for.
 But like all warfare, involving technology and techniques are evolving rapidly.
 Sometime, it is better to step out of a box and look at InfoSec from a different
perspective.
 I-Ching is not just the Book of Wisdom, or the Book of Divination. It should
also be viewed as the Book of Applied Science because of three principles
it promotes:
 The I(易) is simple to understand once you realize the pattern
 The I(易) is changing (just look at germinating virus, Trojans and ransomwares)
 The I(易) is constant (data is the goal, whether acquiring or denying it)

References – 參考
 Slide 33 & 41: The Yi Globe – the Cosmos in the I Ching is done by József
Drasny, Budapest, 2007 and his website: http://www.i-
ching.hu/index.htm
 Following graphs are from Hackmageddon
(http://hackmageddon.com/)
 Slide 43: motivations behind attacks, September 2014
 Slide 43: distribution of targets, September 2014,
 Slide 44: attack techniques, September 2014
 Slide 53: Top 10 famous computer hackers images are from
http://h4x3r.quora.com/Top-10-famous-Computer-HACKERS
 Slide 54: various images are pulled from bing image search based on
the article, http://www.topcomputersciencedegrees.com/notorious-
hacker-groups/

I-Ching & InfoSec

Recommended

Recommended

More Related Content

More from Chuan Lin

More from Chuan Lin (20)

Recently uploaded

Recently uploaded (20)

I-Ching & InfoSec